Android Enterprise (Android for work) CA and SCEP certs RRS feed

  • Question

  • Over the last few weeks I have been working on configuring Android for work profiles to deploy CA and SCEP certs to the devices.  This setup took quite some time and eventually lead to a ticket working with Azure professional services to work through several certificate deployment issues.

    The end product is the certs are deploying successfully to the phones.  Since android for work creates a separate partition the phone host is unable to see these certs which means they are not available for wireless use.

    I believe this is already discussed in a few other blogs, etc. however have not found any supported method to use SCEP cert based authentication using intune and android for work.  Has anyone else got this to work?  What about only deploying the wireless settings and cert settings to standard android profiles and everything else such as applications, etc. to android for work profiles.  Would it be supported to run both android and android for work profiles?

    Monday, August 13, 2018 8:28 PM

All replies

  • Hi,

    Thanks for your information.

    From the description, I cannot figure out the meaning of the phone host is unable to see these certs. I can provide the whole process of configure and use SCEP certificates with Intune:

    It's also supported for the andriod. You can read the detailes about configuring a certificate profile for the devices in Microsoft Intune with Supported device platforms:

    In addition, I think deploy policy, app and certificate is a wireless settings betweeen Intune and devices. And there is seetings for wifi:

    Best regards,

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact
    Tuesday, August 14, 2018 6:24 AM
  • It does work for Android profiles however we are not able to get this working with Android enterprise, Android for work.

    As explained, the certs deploy correctly however they are not visible on the phone as android for work has it's own partition and the certs are within this partition.  It seems as though the wireless settings are only looking at the main partition which I referred to the host, the wireless settings are not able to see the deployed certs as they are within the context of the Android for work partition.

    I have seen several other people explaining the same issue in forums and even the Azure Professional support indicated they are aware of this issue however he was not aware of a fix.  

    So my question is, how can the Wireless settings on an android phone access the certs if they are deployed within the Android for work partition?

    Tuesday, August 14, 2018 2:43 PM
  • Any comments on this?  This seems to be a known problem.  Seems strange this is documented as if it works however it clearly is not working as expected with Android for work.  The Azure professional support also was aware this does not work properly with Android for work.

    So, does that mean we consider using a combination of Android for work for everything except wireless settings and use standard android profiles for wireless configuration.

    Here is a detailed explanation from another person.

    • Proposed as answer by Johnson ZDH Friday, August 17, 2018 9:27 AM
    Thursday, August 16, 2018 7:09 PM
  • In Microsoft Intune, third-party certification authorities (CA) can be added. These CAs can deliver certificates to mobile devices using the Simple Certificate Enrollment Protocol (SCEP). This feature can issue new certificates and renew certificates on Windows, iOS, Android, and macOS devices.

    There are two parts to using this feature: open-source API, and the Intune administrator tasks.

    Part 1 - Use an open-source API
    Microsoft created an API that integrates with Intune to validate certificates, send success or failure notifications, and use SSL, specifically SSL socket factory, to communicate with Intune.

    Part 2 - Create the application and profile
    Using an Azure Active Directory (Azure AD) application, you can delegate rights to Intune to handle SCEP requests coming from devices. The Azure AD application includes application ID and authentication key values that are used within the API solution the developer creates. Administrators can then create and deploy SCEP certificates profiles using Intune. You can also view reports on the deployment status on the devices.

    This article provides an overview of this feature from an Administrator-perspective, including creating the Azure AD application.


    The following steps provide an overview of issuing SCEP certificates in Intune:

    1. In Intune, an administrator creates a SCEP certificate profile, and then targets the profile to users or devices.
    2. The device checks in to Intune.
    3. Intune creates a unique SCEP challenge. It also adds additional integrity-check information, such as what the expected subject and SAN should be.
    4. Intune encrypts and signs both the challenge and integrity-check information, and then sends this information to the device with the SCEP request.
    5. The device generates a certificate signing request (CSR) and public/private key pair on the device based on the SCEP certificate profile that's pushed from Intune.
    6. The CSR and encrypted/signed challenge are sent to the third-party SCEP server endpoint.
    7. The SCEP server sends the CSR and the challenge to Intune. Intune then validates the signature, decrypts the payload, and compares the CSR to the integrity-check information.
    8. Intune sends back a response to the SCEP server, and states whether the challenge validation is successful or not.
    9. If the challenge is successfully verified, then the SCEP server issues the certificate to the device.

    Thursday, November 15, 2018 4:35 AM
  • Hello,

    Did you manage to get this to work? Please advise? Any gotcha?

    Wednesday, February 20, 2019 8:49 PM
  • Hi

    Do you know how to push SCEP certs to Android Enterprise? 

    Thursday, May 16, 2019 8:44 AM